Airlock WAF and Airlock Login/IAM are not affected. Back-ends behind Airlock WAF may be vulnerable, see resolution.

CVE-2017-12615, CVE-2017-12617
Remote Code Execution in case HTTP PUTs are enabled. Airlock Login/IAM and WAF are not affected in the default configuration, HTTP PUTs are disabled.

CVE-2017-12616
This attack may allow a security constraint bypass and viewing JSP sources in case a VirtualDirContext is used. Airlock Login/IAM and WAF are not affected in the default configuration, as no VirtualDirContext is used.

Resolution:

CVE-2017-12615, CVE-2017-12617
Airlock WAF protects vulnerable Tomcat back-ends by default because the HTTP method PUT is blocked. If PUT must be allowed in the Airlock WAF configuration (see mapping - allow rules) and you are running a vulnerable Tomcat version behind Airlock WAF (check readonly Servlet setting) we recommend to update Apache Tomcat.

CVE-2017-12616
If you are running a vulnerable Tomcat version behind Airlock WAF (check "VirtualDirContext" setting) we recommend to update it.